Fuzzing by Michael Hanselmann found an infinite loop parsing a malformed
supplemental credentials structure. There are no server-side
network-accessible calls using this code.
This patch adds an ndrdump blackbox test to replicate the issue.
s4:heimdal_build: move krb5-types.h into include/krb5-types.h
source4/heimdal_build/include/ contains public headers,
which are needed by callers.
source4/heimdal_build/*.h should only be used for building the
in tree heimdal itself.
Without this an '#include "replace.h"' can catch 'config.h' from
source4/heimal_build/config.h before bin/default/include/config.h.
This #defines HAVE_CLOSEFROM unconditionally before replace.h can define
the replacement for rep_closefrom() on systems without libbsd.
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Tue Dec 3 23:36:17 UTC 2019 on sn-devel-184
Volker Lendecke [Sun, 1 Dec 2019 09:07:06 +0000 (10:07 +0100)]
auth3: Remove auth_script
Did this ever really work?
Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Mon Dec 2 22:47:24 UTC 2019 on sn-devel-184
Uri Simchoni [Sun, 20 Oct 2019 18:36:11 +0000 (21:36 +0300)]
heimdal-build: avoid hard-coded /usr/include/heimdal in asn1_compile-generated code.
This fixes a cross-compilation issue, as cross-compilers (rightly)
complain if host include directories are in the include path.
The fix is taken from buildroot (https://github.com/buildroot/buildroot/blob/8b11b96f41a6ffa76556c9bf03a863955871ee57/package/samba4/0006-heimdal_build-wscript_build-do-not-add-host-include-.patch) where it was applied by Bernd Kuhls <bernd.kuhls@t-online.de>.
Signed-off-by: Uri Simchoni <uri@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Sun Dec 1 10:22:01 UTC 2019 on sn-devel-184
The winbindd program was built in a single target with many source file,
making reuse of parts elsewhere impossible. With this change the
majority of the code is built as a subsystem and included in the binary
as a dependency.
Signed-off-by: Michael Hanselmann <public@hansmi.ch> Reviewed-by: Volker Lendecke <vl@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andrew Bartlett [Wed, 20 Nov 2019 05:55:47 +0000 (18:55 +1300)]
selftest: Test partial parse behaviour in ndrdump
Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri Nov 29 02:09:11 UTC 2019 on sn-devel-184
Andrew Bartlett [Tue, 19 Nov 2019 03:07:50 +0000 (16:07 +1300)]
librpc: Make CFDATA private to cab.idl and remove pull and push functions
We can do this because ndr_{pull,push}_CFDATA is unused.
The earlier commit 466d5e814727046dd630d5503b43874ec46a365e removed
the link between "uint16 cbData" and the size of "DATA_BLOB ab" so
when the new ndr_fuzz_X fusser pushed a new structure this allowed
a read beyond the end of allocated memory.
The ndr_push_cab_file() function is also manually written and
does not rely on the value of cbData to calculate the checksum.
Found by Douglas Bagnall using Hongfuzz and the new fuzz_ndr_X
fuzzer, which like ndrdump's struct mode uses the public structure
tables. (This is how it found the unused functions to test).
Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Björn Baumbach [Tue, 26 Nov 2019 09:41:29 +0000 (10:41 +0100)]
samba-tool tests: prepare tests for new samba-tool functionality
Use ldbsearch instead of "samba-tool user show" to get base64 encoded
attribute. Used to verify that the attribute value has been changed
successfully.
Signed-off-by: Björn Baumbach <bb@sernet.de> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Isaac Boukris [Fri, 22 Nov 2019 21:39:09 +0000 (22:39 +0100)]
krb5: move disabling dns-canon to lower level init calls
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Isaac Boukris <iboukris@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Wed Nov 27 12:24:16 UTC 2019 on sn-devel-184
Ralph Boehme [Tue, 19 Nov 2019 10:53:50 +0000 (11:53 +0100)]
docs-xml: remove explicit "constant"
The constant mark applied to types "string" and "ustring". The previous patches
in this patchset already markes all string options as either constant or
substituted, but it's still possible to add options or change existing ones to
be neither constant nor substituted.
In order to enforce strings to be either constant or substitued, remove the
explicit constant marker. Instead, any option that is not marked as substituted
is implicitly made constant.
This patch doesn't change behaviour and all generated files are the same before
and after this change.
Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
Ralph Boehme [Mon, 4 Nov 2019 18:27:41 +0000 (19:27 +0100)]
smbdotconf: mark "ldap user suffix" with constant="1"
Due to the use of append_ldap_suffix() where Globals.ldap_suffix is returned
directly, variable substitution isn't supported anyway, so we can just mark this
const.
Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
Ralph Boehme [Mon, 4 Nov 2019 18:27:41 +0000 (19:27 +0100)]
smbdotconf: mark "ldap machine suffix" with constant="1"
Due to the use of append_ldap_suffix() where Globals.ldap_suffix is returned
directly, variable substitution isn't supported anyway, so we can just mark this
const.
Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
Ralph Boehme [Mon, 4 Nov 2019 18:27:41 +0000 (19:27 +0100)]
smbdotconf: mark "ldap idmap suffix" with constant="1"
Due to the use of append_ldap_suffix() where Globals.ldap_suffix is returned
directly, variable substitution isn't supported anyway, so we can just mark this
const.
Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
Ralph Boehme [Mon, 4 Nov 2019 18:27:41 +0000 (19:27 +0100)]
smbdotconf: mark "ldap group suffix" with constant="1"
Due to the use of append_ldap_suffix() where Globals.ldap_suffix is returned
directly, variable substitution isn't supported anyway, so we can just mark this
const.
Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
Ralph Boehme [Tue, 5 Nov 2019 08:46:21 +0000 (09:46 +0100)]
smbdotconf: mark "ldap suffix" with constant="1"
Due to the use of append_ldap_suffix() where Globals.ldap_suffix was used
directly in the dependent options like "ldap group suffix", we can just mark
this option as const thereby removing substitution from "ldap suffix".
Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
Ralph Boehme [Mon, 4 Nov 2019 16:54:23 +0000 (17:54 +0100)]
smbdotconf: mark "ldap admin dn" with constant="1"
All the other LDAP related options like "ldap user suffix" don't support
variable substitution, so I guess it's safe to remove support for it from this
one as well.
Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
projects / thirdparty / samba.git / log
